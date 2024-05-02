This article was made possible thanks to contributions from Aaron Gdanski.

IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.

The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored by the Cybersecurity and Infrastructure Security Agency’s (CISA) recent Cybersecurity Advisory on the group and the hundreds of victims Akira ransomware actors have claimed across multiple industries and geographies.

Akira threat actors employ a double extortion scheme involving both exfiltration of data and enterprise-wide encryption. Akira affiliates demand a ransom payment to prevent the group from publishing files on their onion site and receiving a decryption key to recover files affected. The group’s name appears to be allusive to the plot of a 1988 anime movie with the same name.